this post was submitted on 07 Apr 2025
47 points (96.1% liked)

Selfhosted

46376 readers
822 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
47
Basic networking/subnetting question. (lemmy.dbzer0.com)
submitted 3 weeks ago by marauding_gibberish142@lemmy.dbzer0.com to c/selfhosted@lemmy.world
65 comments fedilink hide all child comments
 

Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.

Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.

Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?

What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.

If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.

Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] non_burglar@lemmy.world 1 points 3 weeks ago (1 children)

For simple cases you might be able to use 802.1x authentication if "trust" is the issue. This doesnt scale well as a solution on a larger network though.

[–] marauding_gibberish142@lemmy.dbzer0.com 1 points 3 weeks ago (1 children)

Hmm, I haven't heard of that before. Could you explain?

[–] non_burglar@lemmy.world 1 points 3 weeks ago (1 children)

https://en.m.wikipedia.org/wiki/IEEE_802.1X

802.1x are a set of protocols that allow port access to be locked to specific devices, which would preclude your need for multiple subnets. You would likely need a few extra physical ports on your white box router, the unmanaged switch could later become overwhelmed passing traffic in a more complicated setup, and you would still need to keep trusted and untrusted traffic separate at the gateway subnet.

Your use case is exactly why vlans were invented.

However, I suspect from your other answers that you are actually looking for an open source managed switch so your entire networking stack is auditable.

There are a few solutions like opx, but hardware supporting opx is prohibitively expensive and it is almost always cheaper to build a beige box and use Linux or get a 2nd hand supported device and use openwrt.

[–] marauding_gibberish142@lemmy.dbzer0.com 1 points 3 weeks ago (1 children)

Ah, is that something like sticky ports?

Indeed, I would like to run a switch with a FOSS OS, and I don't see any viable way of doing that. Unfortunate, but whitebox router + switch it is then

[–] non_burglar@lemmy.world 1 points 3 weeks ago (1 children)

The effect is similar to sticky ports, but sticky ports is just filtering based on Mac address, which can be spoofed.

802.11x allows traffic from a device only if they also have the correct EAP certificate.

[–] marauding_gibberish142@lemmy.dbzer0.com 1 points 3 weeks ago

I see. I didn't know about this. I have saved your comment, I'll come back to this in a bit